• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 829
  • Last Modified:

Cisco easy VPN configuration guide required

Does anyone know a link to a good document to describe the following setup?

Looking for a document that explains how to use a Cisco IOS router as the easy VPN client at the remote site. The easy VPN client server at the hub site is a Cisco VPN 3000 concentrator which i configure through web interface.

also, maybe just to add some confusion to the scenario (i'm sure it can be done), the Cisco router at the far end will sit behind the ISP provided ADSL router. The ISP router will have 192.168.1.1 on the LAN interface as normal, I'll put 192.168.1.2 on the outside interface of the Cisco router and use this as the easy VPN outside interface. The inside port of the Cisco router will provide DHCP services to connected LAN hosts on some 10**** network.

if there is any document that describes anything like this it would be appreciated.

thanks in advance.
0
L-Plate
Asked:
L-Plate
  • 2
  • 2
1 Solution
 
L-PlateAuthor Commented:
nice document, thanks.

i see to have it all configured as per the document pretty much. however, i cant seem to get the VPN tunnel up. i have enabled several debugs on the router, i have a DHCP client connected to the LAN port on the router on ip address 10.4.80.102, trying to connect to the corporate LAN. This is all i get from a debug...

000104: *Mar  1 00:15:38.979 UTC: IPSEC(key_engine): major = 1
000105: *Mar  1 00:15:38.979 UTC: IPSEC(key_engine): expired_timer
000106: *Mar  1 00:15:58.979 UTC: IPSEC(key_engine): major = 1
000107: *Mar  1 00:15:58.979 UTC: IPSEC(key_engine): expired_timer
000108: *Mar  1 00:16:18.979 UTC: IPSEC(key_engine): major = 1
000109: *Mar  1 00:16:18.979 UTC: IPSEC(key_engine): expired_timer


this is my router config, can you please check and see if you can see where i may be going wrong?

RTRSlovakiaWH#sh run
Building configuration...

Current configuration : 2812 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname RTRSlovakiaWH
!
boot-start-marker
boot-end-marker
!
enable secret ......
enable password !......
username ..... privilege 15 password .......
no aaa new-model
ip subnet-zero
 --More--         !
!
ip dhcp excluded-address 10.4.80.0 10.4.80.100
!
ip dhcp pool USERS
   network 10.4.80.0 255.255.240.0
   dns-server 10.0.0.113 10.0.0.114
   default-router 10.4.80.1
   lease 2
!
!
no ip domain lookup
ip domain name nch.com
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh break-string
login block-for 20 attempts 3 within 60
no ftp-server write-enable
 --More--         no scripting tcl init
no scripting tcl encdir
!
!
!
!
!
!
!
!
crypto ipsec client ezvpn uk
 connect auto
 group NCHSlovakiaWH100 key 3xpAn510nNcH776
 mode network-extension
 peer 213.86......
 username NCHSlovakiaWH200 password  3xpAn510nNcH776
!
!
!
!
interface Ethernet0
 description ## CONNECTS TO LAN ##
 ip address 10.4.80.1 255.255.240.0
 --More--          crypto ipsec client ezvpn uk inside
!
interface Ethernet1
 ip address 213.86...... 255.255.255.224
 ip access-group outside_access_in in
 ip inspect FIREWALL out
 duplex auto
 crypto ipsec client ezvpn uk
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 shutdown
 --More--          duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip nat inside source list 10 interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 213.86.84.193
!
no ip http server
no ip http secure-server
!
!
ip access-list extended outside_access_in
 permit esp host 213.86.84.40 host 192.168.1.2
 permit udp host 213.86.84.40 host 192.168.1.2 eq non500-isakmp
 permit udp host 213.86.84.40 host 192.168.1.2 eq isakmp
 permit esp host 213.86...... host 213.86......
 permit udp host 213.86...... host 213.86....... eq non500-isakmp
 permit udp host 213.86....... host 213.86........ eq isakmp
access-list 10 permit 10.4.80.0 0.0.15.255
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
 exec-timeout 5 0
 login local
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 exec-timeout 5 0
 password ...........
 login
 transport preferred all
 transport input all
 transport output all
 --More--         !
scheduler max-task-time 5000
!
end


also i removed the access list from the outside interface just in case this was causing any issue, but still it doesnt connect.

any help on this would be much appreciated.
0
 
jmeggersCommented:
First thing I would suggest is adjusting your NAT configuration to exclude the IPSec traffic from NAT.  So you would want to deny anything sourced from the local LAN destined for the remote LAN.  That should be done on both sides to make sure the router isn't trying to NAT that traffic.  After the deny statement(s) do the permit for local LAN to any.  That means you'll want an extended ACL instead of a standard ACL.  
0
 
L-PlateAuthor Commented:
i have tried what you suggested regarding the NAT. Now it seems that more is happenning, but still hasn't formed totally.

any ideas on the below output?

RTRSlovakiaWH#debug crypto isakmp
Crypto ISAKMP debugging is on
RTRSlovakiaWH#debug crypto ipsec
Crypto IPSEC debugging is on
RTRSlovakiaWH#
000033: *Mar  1 00:02:39.511 UTC: ISAKMP:(0:3:HW:2): retransmitting phase 1 AG_INIT_EXCH...
000034: *Mar  1 00:02:39.511 UTC: ISAKMP:(0:3:HW:2):incrementing error counter on sa: retransmit phase 1
000035: *Mar  1 00:02:39.511 UTC: ISAKMP:(0:3:HW:2): retransmitting phase 1 AG_INIT_EXCH
000036: *Mar  1 00:02:39.515 UTC: ISAKMP:(0:3:HW:2): sending packet to 213.86.84.40 my_port 500 peer_port 500 (I) AG_INIT_EXCH
000037: *Mar  1 00:02:49.515 UTC: ISAKMP:(0:3:HW:2): retransmitting phase 1 AG_INIT_EXCH...
000038: *Mar  1 00:02:49.515 UTC: ISAKMP:(0:3:HW:2):incrementing error counter on sa: retransmit phase 1
000039: *Mar  1 00:02:49.515 UTC: ISAKMP:(0:3:HW:2): retransmitting phase 1 AG_INIT_EXCH
000040: *Mar  1 00:02:49.515 UTC: ISAKMP:(0:3:HW:2): sending packet to 213.86.84.40 my_port 500 peer_port 500 (I) AG_INIT_EXCH
RTRSlovakiaWH#
RTRSlovakiaWH#
RTRSlovakiaWH#
000041: *Mar  1 00:02:59.003 UTC: IPSEC(key_engine): major = 1
000042: *Mar  1 00:02:59.003 UTC: IPSEC(key_engine): expired_timer
000043: *Mar  1 00:02:59.515 UTC: ISAKMP:(0:3:HW:2): retransmitting phase 1 AG_INIT_EXCH...
000044: *Mar  1 00:02:59.515 UTC: ISAKMP:(0:3:HW:2):incrementing error counter on sa: retransmit phase 1
000045: *Mar  1 00:02:59.515 UTC: ISAKMP:(0:3:HW:2): retransmitting phase 1 AG_INIT_EXCH
000046: *Mar  1 00:02:59.515 UTC: ISAKMP:(0:3:HW:2): sending packet to 213.86.84.40 my_port 500 peer_port 500 (I) AG_INIT_EXCH
000047: *Mar  1 00:03:09.515 UTC: ISAKMP:(0:3:HW:2): retransmitting phase 1 AG_INIT_EXCH...
000048: *Mar  1 00:03:09.515 UTC: ISAKMP:(0:3:HW:2):incrementing error counter on sa: retransmit phase 1
000049: *Mar  1 00:03:09.515 UTC: ISAKMP:(0:3:HW:2): retransmitting phase 1 AG_INIT_EXCH
000050: *Mar  1 00:03:09.515 UTC: ISAKMP:(0:3:HW:2): sending packet to 213.86.84.40 my_port 500 peer_port 500 (I) AG_INIT_EXCH
000051: *Mar  1 00:03:19.003 UTC: IPSEC(key_engine): major = 1
000052: *Mar  1 00:03:19.003 UTC: IPSEC(key_engine): expired_timer
000053: *Mar  1 00:03:19.515 UTC: ISAKMP:(0:3:HW:2): retransmitting phase 1 AG_INIT_EXCH...
000054: *Mar  1 00:03:19.515 UTC: ISAKMP:(0:3:HW:2):incrementing error counter on sa: retransmit phase 1
000055: *Mar  1 00:03:19.515 UTC: ISAKMP:(0:3:HW:2): retransmitting phase 1 AG_INIT_EXCH
000056: *Mar  1 00:03:19.515 UTC: ISAKMP:(0:3:HW:2): sending packet to 213.86.84.40 my_port 500 peer_port 500 (I) AG_INIT_EXCH
000057: *Mar  1 00:03:29.051 UTC: ISAKMP:(0:2:HW:2):purging SA., sa=81AA9B10, delme=81AA9B10
000058: *Mar  1 00:03:29.515 UTC: ISAKMP:(0:3:HW:2): retransmitting phase 1 AG_INIT_EXCH...
000059: *Mar  1 00:03:29.515 UTC: ISAKMP:(0:3:HW:2):peer does not do paranoid keepalives.

000060: *Mar  1 00:03:29.515 UTC: ISAKMP:(0:3:HW:2):deleting SA reason "death by retransmission P1" state (I) AG_INIT_EXCH (peer 213.86.84.40) input queue 0
000061: *Mar  1 00:03:29.519 UTC: ISAKMP:(0:3:HW:2):deleting SA reason "death by retransmission P1" state (I) AG_INIT_EXCH (peer 213.86.84.40) input queue 0
000062: *Mar  1 00:03:29.519 UTC: ISAKMP: Unlocking IKE struct 0x81AA99F0 for isadb_mark_sa_deleted(), count 0
000063: *Mar  1 00:03:29.519 UTC: ISAKMP: Deleting peer node by peer_reap for 213.86.84.40: 81AA99F0
000064: *Mar  1 00:03:29.519 UTC: ISAKMP: Deleted node doesn't match node to be deleted!
000065: *Mar  1 00:03:29.519 UTC: ISAKMP:(0:3:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
000066: *Mar  1 00:03:29.523 UTC: ISAKMP:(0:3:HW:2):Old State = IKE_I_AM1  New State = IKE_DEST_SA

000067: *Mar  1 00:03:29.523 UTC: ISAKMP: received ke message (3/1)
000068: *Mar  1 00:03:29.523 UTC: ISAKMP: Looking for a matching key for 213.86.84.40 in default
000069: *Mar  1 00:03:29.523 UTC: ISAKMP: received ke message (1/1)
000070: *Mar  1 00:03:29.527 UTC: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
000071: *Mar  1 00:03:29.527 UTC: ISAKMP: Created a peer struct for 213.86.84.40, peer port 500
000072: *Mar  1 00:03:29.527 UTC: ISAKMP: Locking peer struct 0x81C0E3BC, IKE refcount 1 for isakmp_initiator
000073: *Mar  1 00:03:29.527 UTC: ISAKMP:(0:0:N/A:0):Setting client config settings 81AAA1BC
000074: *Mar  1 00:03:29.527 UTC: ISAKMP: local port 500, remote port 500
000075: *Mar  1 00:03:29.531 UTC: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 81AA9B10
000076: *Mar  1 00:03:29.531 UTC: ISAKMP:(0:4:HW:2): client mode configured.
000077: *Mar  1 00:03:29.531 UTC: ISAKMP:(0:4:HW:2): constructed NAT-T vendor-03 ID
000078: *Mar  1 00:03:29.531 UTC: ISAKMP:(0:4:HW:2): constructed NAT-T vendor-02 ID
000079: *Mar  1 00:03:29.975 UTC: ISAKMP:(0:4:HW:2):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID
000080: *Mar  1 00:03:29.975 UTC: ISAKMP (0:268435460): ID payload
        next-payload : 13
        type         : 11
        group id     : NCHSlovakiaWH100
        protocol     : 17
        port         : 0
        length       : 24
000081: *Mar  1 00:03:29.975 UTC: ISAKMP:(0:4:HW:2):Total payload length: 24
000082: *Mar  1 00:03:29.979 UTC: ISAKMP:(0:4:HW:2):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
000083: *Mar  1 00:03:29.979 UTC: ISAKMP:(0:4:HW:2):Old State = IKE_READY  New State = IKE_I_AM1

000084: *Mar  1 00:03:29.979 UTC: ISAKMP:(0:4:HW:2): beginning Aggressive Mode exchange
000085: *Mar  1 00:03:29.979 UTC: ISAKMP:(0:4:HW:2): sending packet to 213.86.84.40 my_port 500 peer_port 500 (I) AG_INIT_EXCH
000086: *Mar  1 00:03:39.003 UTC: IPSEC(key_engine): major = 1
000087: *Mar  1 00:03:39.003 UTC: IPSEC(key_engine): expired_timer
000088: *Mar  1 00:03:39.979 UTC: ISAKMP:(0:4:HW:2): retransmitting phase 1 AG_INIT_EXCH...
000089: *Mar  1 00:03:39.979 UTC: ISAKMP:(0:4:HW:2):incrementing error counter on sa: retransmit phase 1
000090: *Mar  1 00:03:39.979 UTC: ISAKMP:(0:4:HW:2): retransmitting phase 1 AG_INIT_EXCH
000091: *Mar  1 00:03:39.979 UTC: ISAKMP:(0:4:HW:2): sending packet to 213.86.84.40 my_port 500 peer_port 500 (I) AG_INIT_EXCH
000092: *Mar  1 00:03:49.979 UTC: ISAKMP:(0:4:HW:2): retransmitting phase 1 AG_INIT_EXCH...
000093: *Mar  1 00:03:49.979 UTC: ISAKMP:(0:4:HW:2):incrementing error counter on sa: retransmit phase 1
000094: *Mar  1 00:03:49.979 UTC: ISAKMP:(0:4:HW:2): retransmitting phase 1 AG_INIT_EXCH
000095: *Mar  1 00:03:49.979 UTC: ISAKMP:(0:4:HW:2): sending packet to 213.86.84.40 my_port 500 peer_port 500 (I) AG_INIT_EXCH
000096: *Mar  1 00:03:59.003 UTC: IPSEC(key_engine): major = 1
000097: *Mar  1 00:03:59.003 UTC: IPSEC(key_engine): expired_timer
000098: *Mar  1 00:03:59.979 UTC: ISAKMP:(0:4:HW:2): retransmitting phase 1 AG_INIT_EXCH...
000099: *Mar  1 00:03:59.979 UTC: ISAKMP:(0:4:HW:2):incrementing error counter on sa: retransmit phase 1
000100: *Mar  1 00:03:59.979 UTC: ISAKMP:(0:4:HW:2): retransmitting phase 1 AG_INIT_EXCH
000101: *Mar  1 00:03:59.979 UTC: ISAKMP:(0:4:HW:2): sending packet to 213.86.84.40 my_port 500 peer_port 500 (I) AG_INIT_EXCH
RTRSlovakiaWH#
RTRSlovakiaWH#
RTRSlovakiaWH#
RTRSlovakiaWH#
RTRSlovakiaWH#
RTRSlovakiaWH#un all
All possible debugging has been turned off
RTRSlovakiaWH#

0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now